Insert certificate into agent for existing key?
Brian Candler
b.candler at pobox.com
Sun Feb 7 23:09:41 AEDT 2021
Does the ssh-agent protocol allow adding a certificate for a private key
which it already has? The idea is to issue a certificate for a key the
agent already has, to avoid the entropy drain of generating a new key.
https://tools.ietf.org/html/draft-miller-ssh-agent-04 shows private
keys, and doesn't mention certificates at all. However it does say:
"Typically only the public components of any keys supported on a
hardware token will be loaded into an agent" - which suggests that the
SSH_AGENTC_ADD_IDENTITY message might be able to carry only the public
parts of a key.
https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys
defines new *public* key formats for certificates - they don't contain
the private key components as far as I can see.
However, looking at the Go ssh-agent client, it inserts a private key
and certificate in a single SSH_AGENTC_ADD_IDENTITY or
SSH_AGENTC_ADD_ID_CONSTRAINED message:
https://github.com/golang/crypto/blob/master/ssh/agent/client.go#L664
(and I haven't been able to find documentation which defines that
private key + certificate message format).
So basically: can I send just a certificate to ssh-agent? And if so,
how is that done?
Thanks,
Brian.
More information about the openssh-unix-dev
mailing list